WebApp Sec mailing list archives
RE: applet security
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Tue, 10 Jan 2006 10:11:18 -0500
If a Web site is distributing safe-for-scripting ActiveX controls as part of Web application, then these controls need a security audit. Typical security problems in ActiveX controls include: - Unsafe methods which allow access to the Windows file system or registry - Unsafe methods which allow programs to be executed - Unsafe methods for uploading and downloading files - Buffer overflow errors in properties and methods - Unsafe controls are mistakenly marked safe-for-scripting Java applets typically run a sandbox inside of a Web browser and are much less likely to have security problems. Question for the list: Does OWASP cover ActiveX security issues at all? They are part of some Web applications. Richard M. Smith -----Original Message----- From: test.future () gmail com [mailto:test.future () gmail com] Sent: Monday, January 09, 2006 5:25 AM To: webappsec () securityfocus com Subject: applet security Our auditor advised that controls have to be in place to use applet in web application. I wonder what kind of controls is available? I searched owasp but can't find anything. Thanks for any advice. ---------------------------------------------------------------------------- --- Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
Current thread:
- applet security test . future (Jan 09)
- RE: applet security Andrew Chong (Jan 09)
- Re: applet security Dean H. Saxe (Jan 09)
- RE: applet security Richard M. Smith (Jan 10)
- <Possible follow-ups>
- RE: applet security Jeff Robertson (Jan 09)
- Re: applet security test . future (Jan 11)
- Re: applet security Michael Silk (Jan 11)
- Re: Re: applet security test . future (Jan 12)
- Re: applet security Steve Barnet (Jan 12)
- RE: Re: applet security Andrew Chong (Jan 12)
- Re: Re: applet security test . future (Jan 12)
- RE: applet security Andrew Chong (Jan 09)